http://bugzilla.maptools.org/show_bug.cgi?id=2508

RHSA-2016:1546

RHSA-2016:1547

DSA-3467

[oss-security] 20160124 CVE Request: tiff: potential out-of-bound write in NeXTDecode()

[oss-security] 20160124 Re: CVE Request: tiff: potential out-of-bound write in NeXTDecode()

http://www.oracle.com/technetwork/topics/security/bulletinapr2016-2952098.html

http://www.oracle.com/technetwork/topics/security/linuxbulletinjul2016-3090544.html

http://www.oracle.com/technetwork/topics/security/ovmbulletinjul2016-3090546.html

81696

USN-2939-1

https://github.com/vadz/libtiff/commit/b18012dae552f85dcc5c57d3bf4e997a15b1cc1c

GLSA-201701-16

According to the versions of the compat-libtiff3 package installed, the EulerOS installation on the remote host is affected by the following vulnerabilities :

  - The (1) putcontig8bitYCbCr21tile function in     tif_getimage.c or (2) NeXTDecode function in tif_next.c     in LibTIFF allows remote attackers to cause a denial of     service (uninitialized memory access) via a crafted     TIFF image, as demonstrated by libtiff-cvs-1.tif and     libtiff-cvs-2.tif.(CVE-2014-8127,CVE-2014-8129,CVE-2014
    -8130,CVE-2014-9655)

  - A flaw was discovered in the bmp2tiff utility. By     tricking a user into processing a specially crafted     file, a remote attacker could exploit this flaw to     cause a crash or memory corruption and, possibly,     execute arbitrary code with the privileges of the user     running the libtiff     tool.(CVE-2014-9330,CVE-2015-7554,CVE-2015-8668,CVE-201     5-8665,CVE-2015-8781,CVE-2016-3632,CVE-2016-3945,CVE-20     16-3990,CVE-2016-3991,CVE-2016-5320,CVE-2016-5652,CVE-2     015-8683)

  - tools/tiffcp.c in libtiff has an out-of-bounds write on     tiled images with odd tile width versus image width.
    Reported as MSVR 35103, aka 'cpStripToTile     heap-buffer-overflow.'(CVE-2016-9540)

  - tif_predict.h and tif_predict.c in libtiff have     assertions that can lead to assertion failures in debug     mode, or buffer overflows in release mode, when dealing     with unusual tile size like YCbCr with subsampling.
    Reported as MSVR 35105, aka 'Predictor     heap-buffer-overflow.'(CVE-2016-9535,CVE-2016-9533,CVE-     2016-9534,CVE-2016-9536,CVE-2016-9537)

  - The NeXTDecode function in tif_next.c in LibTIFF allows     remote attackers to cause a denial of service     (uninitialized memory access) via a crafted TIFF image,     as demonstrated by libtiff5.tif.(CVE-2015-1547)

  - The NeXTDecode function in tif_next.c in LibTIFF allows     remote attackers to cause a denial of service     (out-of-bounds write) via a crafted TIFF image, as     demonstrated by libtiff5.tif.(CVE-2015-8784)

Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

According to the versions of the libtiff packages installed, the EulerOS installation on the remote host is affected by the following vulnerabilities :

  - Multiple flaws have been discovered in libtiff. A     remote attacker could exploit these flaws to cause a     crash or memory corruption and, possibly, execute     arbitrary code by tricking an application linked     against libtiff into processing specially crafted     files.(CVE-2014-9655, CVE-2015-1547, CVE-2015-8784,     CVE-2015-8683, CVE-2015-8665, CVE-2015-8781,     CVE-2015-8782, CVE-2015-8783, CVE-2016-3990,     CVE-2016-5320)

  - Multiple flaws have been discovered in various libtiff     tools (bmp2tiff, pal2rgb, thumbnail, tiff2bw, tiff2pdf,     tiffcrop, tiffdither, tiffsplit, tiff2rgba). By     tricking a user into processing a specially crafted     file, a remote attacker could exploit these flaws to     cause a crash or memory corruption and, possibly,     execute arbitrary code with the privileges of the user     running the libtiff tool.(CVE-2014-8127, CVE-2014-8129,     CVE-2014-8130, CVE-2014-9330, CVE-2015-7554,     CVE-2015-8668, CVE-2016-3632, CVE-2016-3945,     CVE-2016-3991)

Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

tiff3 is affected by multiple issues that can result at least in denial of services of applications using libtiff4. Crafted TIFF files can be provided to trigger: abort() calls via failing assertions, buffer overruns (both in read and write mode).

CVE-2015-8781

tif_luv.c in libtiff allows attackers to cause a denial of service (out-of-bounds write) via an invalid number of samples per pixel in a LogL compressed TIFF image.

CVE-2015-8782

tif_luv.c in libtiff allows attackers to cause a denial of service (out-of-bounds writes) via a crafted TIFF image.

CVE-2015-8783

tif_luv.c in libtiff allows attackers to cause a denial of service (out-of-bounds reads) via a crafted TIFF image.

CVE-2015-8784

The NeXTDecode function in tif_next.c in LibTIFF allows remote attackers to cause a denial of service (out-of-bounds write) via a crafted TIFF image.

CVE-2016-9533

tif_pixarlog.c in libtiff 4.0.6 has out-of-bounds write vulnerabilities in heap allocated buffers.

CVE-2016-9534

tif_write.c in libtiff 4.0.6 has an issue in the error code path of TIFFFlushData1() that didn't reset the tif_rawcc and tif_rawcp members. 

CVE-2016-9535

tif_predict.h and tif_predict.c in libtiff 4.0.6 have assertions that can lead to assertion failures in debug mode, or buffer overflows in release mode, when dealing with unusual tile size like YCbCr with subsampling.

For Debian 7 'Wheezy', these problems have been fixed in version 3.9.6-11+deb7u4.

We recommend that you upgrade your tiff3 packages.

NOTE: Tenable Network Security has extracted the preceding description block directly from the DLA security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

The remote host is affected by the vulnerability described in GLSA-201701-16 (libTIFF: Multiple vulnerabilities)

    Multiple vulnerabilities have been discovered in libTIFF. Please review       the CVE identifier and bug reports referenced for details.
  Impact :

    A remote attacker could entice a user to process a specially crafted       image file, possibly resulting in execution of arbitrary code with the       privileges of the process or a Denial of Service condition.
  Workaround :

    There is no known workaround at this time.

CVE-2016-5314

Buffer overflow in the PixarLogDecode function in tif_pixarlog.c in LibTIFF 4.0.6 and earlier allows remote attackers to cause a denial of service (application crash) or possibly have unspecified other impact via a crafted TIFF image, as demonstrated by overwriting the vgetparent function pointer with rgb2ycbcr.

Note : This was previously referenced as CVE-2016-5320. All CVE users should reference CVE-2016-5314 instead of CVE-2016-5320.

CVE-2015-8784 The NeXTDecode function in tif_next.c in LibTIFF allows remote attackers to cause a denial of service (out-of-bounds write) via a crafted TIFF image, as demonstrated by libtiff5.tif.

Impact

An attacker can use specially crafted TIFF files to execute arbitrary code with the limited privileges of the image optimization process.

Multiple flaws have been discovered in libtiff. A remote attacker could exploit these flaws to cause a crash or memory corruption and, possibly, execute arbitrary code by tricking an application linked against libtiff into processing specially crafted files.
(CVE-2014-9655 , CVE-2015-1547 , CVE-2015-8784 , CVE-2015-8683 , CVE-2015-8665 , CVE-2015-8781 , CVE-2015-8782 , CVE-2015-8783 , CVE-2016-3990 , CVE-2016-5320)

Multiple flaws have been discovered in libtiff. A remote attacker could exploit these flaws to cause a crash or memory corruption and, possibly, execute arbitrary code by tricking an application linked against libtiff into processing specially crafted files.
(CVE-2014-9655 , CVE-2015-1547 , CVE-2015-8784 , CVE-2015-8683 , CVE-2015-8665 , CVE-2015-8781 , CVE-2015-8782 , CVE-2015-8783 , CVE-2016-3990 , CVE-2016-5320)

Multiple flaws have been discovered in various libtiff tools (bmp2tiff, pal2rgb, thumbnail, tiff2bw, tiff2pdf, tiffcrop, tiffdither, tiffsplit, tiff2rgba). By tricking a user into processing a specially crafted file, a remote attacker could exploit these flaws to cause a crash or memory corruption and, possibly, execute arbitrary code with the privileges of the user running the libtiff tool.
(CVE-2014-8127 , CVE-2014-8129 , CVE-2014-8130 , CVE-2014-9330 , CVE-2015-7554 , CVE-2015-8668 , CVE-2016-3632 , CVE-2016-3945 , CVE-2016-3991)

Security Fix(es) :

  - Multiple flaws have been discovered in libtiff. A remote     attacker could exploit these flaws to cause a crash or     memory corruption and, possibly, execute arbitrary code     by tricking an application linked against libtiff into     processing specially crafted files. (CVE-2014-9655,     CVE-2015-1547, CVE-2015-8784, CVE-2015-8683,     CVE-2015-8665, CVE-2015-8781, CVE-2015-8782,     CVE-2015-8783, CVE-2016-3990, CVE-2016-5320)

  - Multiple flaws have been discovered in various libtiff     tools (bmp2tiff, pal2rgb, thumbnail, tiff2bw, tiff2pdf,     tiffcrop, tiffdither, tiffsplit, tiff2rgba). By tricking     a user into processing a specially crafted file, a     remote attacker could exploit these flaws to cause a     crash or memory corruption and, possibly, execute     arbitrary code with the privileges of the user running     the libtiff tool. (CVE-2014-8127, CVE-2014-8129,     CVE-2014-8130, CVE-2014-9330, CVE-2015-7554,     CVE-2015-8668, CVE-2016-3632, CVE-2016-3945,     CVE-2016-3991)

An update for libtiff is now available for Red Hat Enterprise Linux 6.

Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

The libtiff packages contain a library of functions for manipulating Tagged Image File Format (TIFF) files.

Security Fix(es) :

* Multiple flaws have been discovered in libtiff. A remote attacker could exploit these flaws to cause a crash or memory corruption and, possibly, execute arbitrary code by tricking an application linked against libtiff into processing specially crafted files.
(CVE-2014-9655, CVE-2015-1547, CVE-2015-8784, CVE-2015-8683, CVE-2015-8665, CVE-2015-8781, CVE-2015-8782, CVE-2015-8783, CVE-2016-3990, CVE-2016-5320)

* Multiple flaws have been discovered in various libtiff tools (bmp2tiff, pal2rgb, thumbnail, tiff2bw, tiff2pdf, tiffcrop, tiffdither, tiffsplit, tiff2rgba). By tricking a user into processing a specially crafted file, a remote attacker could exploit these flaws to cause a crash or memory corruption and, possibly, execute arbitrary code with the privileges of the user running the libtiff tool.
(CVE-2014-8127, CVE-2014-8129, CVE-2014-8130, CVE-2014-9330, CVE-2015-7554, CVE-2015-8668, CVE-2016-3632, CVE-2016-3945, CVE-2016-3991)

An update for libtiff is now available for Red Hat Enterprise Linux 7.

Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

The libtiff packages contain a library of functions for manipulating Tagged Image File Format (TIFF) files.

Security Fix(es) :

* Multiple flaws have been discovered in libtiff. A remote attacker could exploit these flaws to cause a crash or memory corruption and, possibly, execute arbitrary code by tricking an application linked against libtiff into processing specially crafted files.
(CVE-2014-9655, CVE-2015-1547, CVE-2015-8784, CVE-2015-8683, CVE-2015-8665, CVE-2015-8781, CVE-2015-8782, CVE-2015-8783, CVE-2016-3990, CVE-2016-5320)

* Multiple flaws have been discovered in various libtiff tools (bmp2tiff, pal2rgb, thumbnail, tiff2bw, tiff2pdf, tiffcrop, tiffdither, tiffsplit, tiff2rgba). By tricking a user into processing a specially crafted file, a remote attacker could exploit these flaws to cause a crash or memory corruption and, possibly, execute arbitrary code with the privileges of the user running the libtiff tool.
(CVE-2014-8127, CVE-2014-8129, CVE-2014-8130, CVE-2014-9330, CVE-2015-7554, CVE-2015-8668, CVE-2016-3632, CVE-2016-3945, CVE-2016-3991)

The remote OracleVM system is missing necessary patches to address critical security updates :

  - Update patch for (CVE-2014-8127)

  - Related: #1335099

  - Fix patches for (CVE-2016-3990, CVE-2016-5320)

  - Related: #1335099

  - Add patches for CVEs :

  - CVE-2016-3632 CVE-2016-3945 (CVE-2016-3990)

  - CVE-2016-3991 (CVE-2016-5320)

  - Related: #1335099

  - Update patch for (CVE-2014-8129)

  - Related: #1335099

  - Merge previously released fixes for CVEs :

  - CVE-2013-1960 CVE-2013-1961 (CVE-2013-4231)

  - CVE-2013-4232 CVE-2013-4243 (CVE-2013-4244)

  - Resolves: #1335099

  - Patch typos in (CVE-2014-8127)

  - Related: #1299919

  - Fix CVE-2014-8127 and CVE-2015-8668 patches

  - Related: #1299919

  - Fixed patches on preview CVEs

  - Related: #1299919

  - This resolves several CVEs

  - CVE-2014-8127, CVE-2014-8129, (CVE-2014-8130)

  - CVE-2014-9330, CVE-2014-9655, (CVE-2015-8781)

  - CVE-2015-8784, CVE-2015-1547, (CVE-2015-8683)

  - CVE-2015-8665, CVE-2015-7554, (CVE-2015-8668)

  - Resolves: #1299919

From Red Hat Security Advisory 2016:1547 :

An update for libtiff is now available for Red Hat Enterprise Linux 6.

Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

The libtiff packages contain a library of functions for manipulating Tagged Image File Format (TIFF) files.

Security Fix(es) :

* Multiple flaws have been discovered in libtiff. A remote attacker could exploit these flaws to cause a crash or memory corruption and, possibly, execute arbitrary code by tricking an application linked against libtiff into processing specially crafted files.
(CVE-2014-9655, CVE-2015-1547, CVE-2015-8784, CVE-2015-8683, CVE-2015-8665, CVE-2015-8781, CVE-2015-8782, CVE-2015-8783, CVE-2016-3990, CVE-2016-5320)

* Multiple flaws have been discovered in various libtiff tools (bmp2tiff, pal2rgb, thumbnail, tiff2bw, tiff2pdf, tiffcrop, tiffdither, tiffsplit, tiff2rgba). By tricking a user into processing a specially crafted file, a remote attacker could exploit these flaws to cause a crash or memory corruption and, possibly, execute arbitrary code with the privileges of the user running the libtiff tool.
(CVE-2014-8127, CVE-2014-8129, CVE-2014-8130, CVE-2014-9330, CVE-2015-7554, CVE-2015-8668, CVE-2016-3632, CVE-2016-3945, CVE-2016-3991)

From Red Hat Security Advisory 2016:1546 :

An update for libtiff is now available for Red Hat Enterprise Linux 7.

Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

The libtiff packages contain a library of functions for manipulating Tagged Image File Format (TIFF) files.

Security Fix(es) :

* Multiple flaws have been discovered in libtiff. A remote attacker could exploit these flaws to cause a crash or memory corruption and, possibly, execute arbitrary code by tricking an application linked against libtiff into processing specially crafted files.
(CVE-2014-9655, CVE-2015-1547, CVE-2015-8784, CVE-2015-8683, CVE-2015-8665, CVE-2015-8781, CVE-2015-8782, CVE-2015-8783, CVE-2016-3990, CVE-2016-5320)

* Multiple flaws have been discovered in various libtiff tools (bmp2tiff, pal2rgb, thumbnail, tiff2bw, tiff2pdf, tiffcrop, tiffdither, tiffsplit, tiff2rgba). By tricking a user into processing a specially crafted file, a remote attacker could exploit these flaws to cause a crash or memory corruption and, possibly, execute arbitrary code with the privileges of the user running the libtiff tool.
(CVE-2014-8127, CVE-2014-8129, CVE-2014-8130, CVE-2014-9330, CVE-2015-7554, CVE-2015-8668, CVE-2016-3632, CVE-2016-3945, CVE-2016-3991)

It was discovered that LibTIFF incorrectly handled certain malformed images. If a user or automated system were tricked into opening a specially crafted image, a remote attacker could crash the application, leading to a denial of service, or possibly execute arbitrary code with user privileges.

Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

Several vulnerabilities have been found in tiff, a Tag Image File Format library. Multiple out-of-bounds read and write flaws could cause an application using the tiff library to crash.

Several security flaws have been found and solved in libtiff, a library that provides support for handling Tag Image File Format (TIFF). These flaws concern out of bounds reads and writes in the LogL16Decode, LogLuvDecode24, LogLuvDecode32, LogLuvDecodeTile, LogL16Encode, LogLuvEncode24, LogLuvEncode32 and NeXTDecode functions.

These IDs were assigned for the problems: CVE-2015-8781, CVE-2015-8782, CVE-2015-8783 and CVE-2015-8784.

For Debian 6 'Squeeze', these issues have been fixed in tiff version 3.9.4-5+squeeze14. We recommend you to upgrade your tiff packages.

Learn more about the Debian Long Term Support (LTS) Project and how to apply these updates at: https://wiki.debian.org/LTS/

NOTE: Tenable Network Security has extracted the preceding description block directly from the DLA security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

ID	Name	Product	Family	Severity
99889	EulerOS 2.0 SP1 : compat-libtiff3 (EulerOS-SA-2017-1044)	Nessus	Huawei Local Security Checks	high
99888	EulerOS 2.0 SP2 : compat-libtiff3 (EulerOS-SA-2017-1043)	Nessus	Huawei Local Security Checks	high
99797	EulerOS 2.0 SP1 : libtiff (EulerOS-SA-2016-1034)	Nessus	Huawei Local Security Checks	high
99107	Debian DLA-880-1 : tiff3 security update	Nessus	Debian Local Security Checks	high
96373	GLSA-201701-16 : libTIFF: Multiple vulnerabilities	Nessus	Gentoo Local Security Checks	high
94648	F5 Networks BIG-IP : LibTIFF vulnerabilities (K89096577)	Nessus	F5 Networks Local Security Checks	medium
93012	Amazon Linux AMI : compat-libtiff3 (ALAS-2016-734)	Nessus	Amazon Linux Local Security Checks	medium
93011	Amazon Linux AMI : libtiff (ALAS-2016-733)	Nessus	Amazon Linux Local Security Checks	high
92720	Scientific Linux Security Update : libtiff on SL7.x x86_64	Nessus	Scientific Linux Local Security Checks	high
92698	Scientific Linux Security Update : libtiff on SL6.x i386/x86_64	Nessus	Scientific Linux Local Security Checks	high
92697	RHEL 6 : libtiff (RHSA-2016:1547)	Nessus	Red Hat Local Security Checks	high
92696	RHEL 7 : libtiff (RHSA-2016:1546)	Nessus	Red Hat Local Security Checks	high
92691	OracleVM 3.3 / 3.4 : libtiff (OVMSA-2016-0093)	Nessus	OracleVM Local Security Checks	high
92690	Oracle Linux 6 : libtiff (ELSA-2016-1547)	Nessus	Oracle Linux Local Security Checks	high
92689	Oracle Linux 7 : libtiff (ELSA-2016-1546)	Nessus	Oracle Linux Local Security Checks	high
92682	CentOS 6 : libtiff (CESA-2016:1547)	Nessus	CentOS Local Security Checks	high
92681	CentOS 7 : libtiff (CESA-2016:1546)	Nessus	CentOS Local Security Checks	high
90147	Ubuntu 12.04 LTS / 14.04 LTS / 15.10 : tiff vulnerabilities (USN-2939-1)	Nessus	Ubuntu Local Security Checks	medium
88601	Debian DSA-3467-1 : tiff - security update	Nessus	Debian Local Security Checks	medium
88491	Debian DLA-405-1 : tiff security update	Nessus	Debian Local Security Checks	medium

CVE-2015-8784

Description

References

Details

Risk Information

CVSS v2.0

CVSS v3.0

Vulnerable Software

Configuration 1

Configuration 2

Tenable Plugins